VMware published an advisory (VMSA-2022-0014) to address two vulnerabilities in its VMware Workspace ONE Access, Identity Manager and vRealize Automation products. This advisory follows an advisory from April (VMSA-2022-0011) for multiple flaws in VMware Workspace ONE.
Below is a comment from Satnam Narang, staff research engineer, Tenable who says that vulnerability chaining (in this case CVE-2022-22972 with CVE-2022-22973) is not a new phenomenon, but just as in competitive fighting games like Street Fighter and Mortal Kombat, chaining together vulnerabilities increases the impact of an attack.
The vulnerabilities patched as part of VMware’s VMSA-2022-0014 advisory along with the Emergency Directive and associated alert published by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) serve as an important reminder on the importance of patching vulnerabilities as early as possible.
Last month, VMware published an advisory for a number of flaws in the same set of products and within a few days, attackers had already begun scanning for and exploiting two of those flaws against publicly accessible systems.
The publication of the Emergency Directive gives added urgency to the Federal Civilian Executive Branch agencies in the United States, but should also be viewed by other agencies and organizations globally to urgently prioritize patching these flaws.
One of the two flaws patched today, CVE-2022-22972 is an authentication bypass vulnerability, which could be easily exploited by an attacker to gain access to these systems without having prior access to the systems. Chaining this flaw together with CVE-2022-22973 would allow an attacker to elevate privileges to gain root access on these systems. Vulnerability chaining is not a new phenomenon, but just as in competitive fighting games like Street Fighter and Mortal Kombat, chaining together vulnerabilities like moves increases the impact of an attack. — Satnam Narang, staff research engineer, Tenable